Agencies love the Cybersecurity Framework, but loathe compliance

By Richard P. Tracy

Oct 23, 2017

When President Donald Trump signed his long-awaited Cybersecurity Executive Order in May, there was one aspect that grabbed my attention – the mandate for federal agencies to implement the National Institute of Standards and Technology's Cybersecurity Framework.

For some, this mandate caused apprehension; for others, it caused excitement. The NIST Cybersecurity Framework, first developed in 2014, received praise early on because involvement was voluntary; agencies could decide whether the framework was right for them.

In the months following the Cyber EO, apprehension waned as agencies revealed widespread support for the framework. In fact, a majority of the public sector folks polled in a recent survey at the 2017 Amazon Web Services Public Sector Summit favored the mandate, because they viewed it as a critical step toward developing a universal cybersecurity language.

The public sector’s view of the Framework

The survey of 257 attendees found that 89 percent said the cybersecurity framework is “critically important” to their ability to achieve the goals and mission of their organization.

Matt Barrett, program manager for the NIST Cybersecurity Framework, attributes the approval of the framework mandate to the fact that there's “absolutely no prescription for how [agencies] are to use it. I think it walks the line very well between having the mandate and empowering people to use the framework in a way that provides the maximum value.”

I wholeheartedly agree with Matt’s sentiments that the beauty of the framework is in its flexibility. Regardless of whether it was mandated or not, cybersecurity professionals have been yearning for a framework to guide improvements to cyber risk management.

Despite the significant support for the framework, however, with 74 percent overall approval from the same survey respondents, the public sector continues to struggle with compliance challenges as it transitions to more modern technologies, such as cloud.

The struggles with compliance

With 95 percent of respondents calling for a universal cybersecurity language, the survey reveals a public sector hungry for the value that a set of common standards can deliver. However, respondents remain deeply concerned with compliance. When they were asked about their biggest compliance challenges, two stood out -- 46 percent said compliance was too time-consuming and 45 percent said it was too complex.

While these concerns aren’t specific to the Cybersecurity Framework, they represent potential barriers to adoption of any security framework.

Additional challenges that surfaced about compliance included budgetary and personnel concerns, with one respondent citing “the reluctance of government leadership and a fear of reduction in workforce” to properly address current compliance issues. There were three different answers that mentioned “budgets,” highlighting the issues agencies have in securing funding for IT modernization projects.

Complying with security standards has historically been time-consuming and costly, so this is not a new issue. But as the government strives to modernize technology, these concerns are something that we must recognize.

With the Modernizing Government Technology Act now attached as an amendment to the National Defense Authorization Act bill, a true and funded IT modernization effort may finally be in the offing. To ensure reasonable expectations for modernization, the issues of IT projects taking too long or costing too much must be addressed.

Compliance has long been a hurdle, but now agencies can streamline the process and embrace standards more efficiently, more holistically and more strategically. That solution is automation.

Automation simplifies compliance

A gap currently exists between the need to comply and the struggle to do so. And the truth is that automation is necessary to bridge that gap. By automating security compliance processes, agencies can save up to 50 percent of the time and effort required to implement these controls and frameworks, while modernizing systems in a cloud environment.

For example, when the CIA partnered with AWS to stand up an isolated cloud region dedicated for intelligence community use, called C2S, it used an automated security compliance process. By doing so within the flexibility of the AWS cloud architecture, IC customers were able to provision and authorize jobs in minutes to hours what previously required weeks to months. The C2S cloud accelerated the intelligence community’s speed of mission and empowered innovation.

The intelligence community’s C2S success serves as a roadmap for the public sector. For a fraction of the cost, the government can partner with industry to transform its IT infrastructure and develop automated processes that make compliance headaches a thing of the past.